Method and system for generating implicit certificates and applications to identity-based encryption (IBE)

ABSTRACT

The invention relates to a method of generating an implicit certificate and a method of generating a private key from a public key. The method involves a method generating an implicit certificate in three phases. The public key may be an entity&#39;s identity or derived from an entity&#39;s identify. Only the owner of the public key possesses complete information to generate the corresponding private key. No authority is required to nor able to generate an entity&#39;s private key.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority from U.S. Provisional PatentApplication No. 60/950,262 filed on Jul. 17, 2007, hereby incorporatedby reference.

FIELD OF INVENTION

The invention relates generally to the field of encryption. Inparticular, the invention relates to a system and method for providingimplicit certificates that can be used in an identity-based encryptionsystem.

BACKGROUND OF INVENTION

Public key cryptography utilizes a public key and a private key that aremathematically related. The relationship is such that the public key canreadily be computed from the private key but computation of the privatekey from the public key is considered infeasible. The private key isthus maintained secret. The keys are used in a variety of well knownprotocols to secure or sign messages. To secure a message, the publickey of the recipient is used by the sender to encrypt the message andthe recipient uses his private key to decrypt the message. To sign amessage, the author uses her private key to generate a signature whichcan be verified by use of the public key by any recipient. In each case,the public key has to be obtained from a trusted party, such as atrusted authority (“TA”).

In identity-based public key cryptography, an entity's public key is itsidentity, such as an e-mail address, or a derivation thereof. Anidentity-based encryption (“IBE”) system has numerous advantages, mostnotably:

-   -   1. No need for a sender to obtain a public key before encrypting        a message;    -   2. Encryption can be done by the sender before the recipient        possesses a private key;    -   3. Identities can be chosen by the sender, not just the        recipient;    -   4. Existing identities and addresses can be made into public        keys; and    -   5. Public keys can be humanly memorizable.

Many identity-based encryption schemes have been proposed. In one simplescheme, each user is responsible for generating its own private/publickey pair. The user does not disclose its private key to anyone,including the TA. Each user may simply adopt its public key as itsidentity, for example, using it as an e-mail or website address. Theuser, however, would have to be content with whatever public key thatmay be generated and use it (or a representation thereof) as itsidentity, such as an e-mail address or website address. There are otherIBE schemes proposed as well, but none has been deemed practical.

It is an object of the present invention to mitigate or obviate at leastone of the above mentioned disadvantages.

SUMMARY OF INVENTION

In one embodiment, an IBE system is based on implicit certificatesissued by a certification authority (“CA”). In a pre-certification phaseof the implicit certification process a recipient requests a certificatebut then receives its implicit certificate only after it receives anencrypted message from a sender who chooses the identity of therecipient. The certification authority issues the implicit certificateto the sender and recipient as needed, and does the necessaryauthentication (identity proofing) along the way. The certificationauthority, however, does not have possession of the private key of therecipient. The recipient constructs its own private key by combining theimplicit certificate received from the CA, its own secret contributionand any public information related to the recipient that may be selectedby any one of the recipients, the CA and the sender. In this scheme,both the public key and the private key of the recipient are based onthe recipient's identity.

In one aspect of the invention, there is provided a method oftransmitting messages encrypted with identity-based public keys derivedfrom information provided by a certification authority. Thecertification authority has a pair of public and private keys. Themethod includes the steps of providing a recipient's registrationrequest and registration information to the certification authority, theregistration information including the recipient's identity informationselected by the recipient and the registration request correlating to afirst secret value selected by the recipient; providing the recipientselected identity information to a sender; upon receiving a request fromthe sender and another of the recipient's identity information selectedby the sender, the certification authority generating a public keyreconstruction data from the registration request, the registrationinformation, the sender selected identity information of the recipient,a second secret value selected by the certification authority and acertificate information selected by the certification authority;transmitting an implicit certificate to the sender, the implicitcertificate including the public key reconstruction data and thecertificate information, reconstructing a public key of the recipientfrom the implicit certificate, the certificate information and thecertification authority's public key; and transmitting to the recipienta message encrypted with the public key of the recipient together withan indication that the public key is reconstructed from the implicitcertificate.

To decrypt a message received from the sender, the recipient transmits aprivate key request to the certification authority, the private keyrequest includes all identity information of the recipient used duringgenerating the implicit certificate. The certification authority thenprovides a private key reconstruction data and the public keyreconstruction data to the recipient for the recipient to reconstructits private key. The private key reconstruction data is generated bycombining mathematically the certification authority's private key, theall identity information, the public key reconstruction data, and thesecond secret value. A private key of the recipient is generated fromthe implicit certificate, the certification information, the private keyreconstruction data and the first secret value.

In another aspect of the invention, there is provided a method ofproviding a recipient's public key to a sender and a private keycorresponding to said public key to the recipient. The method includesthe following steps. First, said recipient selects a secret contributionto said public key and generates a registration request information fromsaid secret contribution, and then provides said registration requestinformation and a first identify information associated with therecipient to a certification authority. A sender, when requiring therecipient's public key, transmits to the certification authority arequest for an implicit certificate of the public key, said implicitcertificate request including said first identity information and asecond identity information of the recipient. The certificate authoritygenerates a public key reconstruction data from the registration requestinformation, the first and second identity information, a certificateinformation selected by the certification authority and a privatecontribution selected by the certification authority, and transmits saidimplicit certificate to the sender, the implicit certificate includingsaid public key reconstruction data and said certificate information.The sender computes the public key from the implicit certificate and thecertification authority's public key and uses the public key forexchanging information with the recipient. The recipient, when requiringits private key to decrypt message received from the sender, send aprivate key request to the certification authority. The certificationauthority generates and provides a privatization information to therecipient, along with the implicit certificate. The recipient thencomputes the private key from the implicit certificate and theprivatization information.

In other aspects the invention provides various combinations and subsetsof the aspects described above.

BRIEF DESCRIPTION OF DRAWINGS

For the purposes of description, but not of limitation, an embodiment orembodiments of the invention will now be explained in greater detail byway of example with reference to the accompanying drawings, in which:

FIG. 1 is a diagram illustrating schematically an IBE system, in whichone member of the system acts as a certification authority; and

FIG. 2 is a flowchart illustrating schematically steps of a method forissuing implicit certificates and computing public/private key pairs foruse in the IBE system shown in FIG. 1.

FIG. 3 is a table summarizing a method of three-phase implicitcertification.

DETAILED DESCRIPTION OF EMBODIMENTS

The description which follows, and the embodiments described therein,are provided by way of illustration of an example, or examples, ofparticular embodiments of the principles of the present invention. Theseexamples are provided for the purposes of explanation, and notlimitation, of those principles and of the invention. In the descriptionwhich follows, like parts are marked throughout the specification andthe drawings with the same respective reference numerals.

FIG. 1 illustrates schematically an IBE system 100, which includes acentral certification authority 102. The IBE system 100 has a number ofusers, or entities 104, including a sender 106 (or more commonly calledsender Alice, or sender A) and a recipient 108 (or more commonly calledrecipient Bob, or recipient B). Each user 104 communicates with the CA102 through a communication link 110. The CA is a central certificationauthority but not a trusted authority.

Sender 106 and recipient 108 exchange messages through a communicationchannel 112 between the pair of users. When sender 106 needs to send amessage, sender 106 generates a session key z to encrypt the message.The session key z is constructed from the public key of recipient 108and the sender's own private key. The result of the encryption, namely,encrypted message, is sent to recipient 108 through communicationchannel 112. The public key of recipient 108 is derived from theidentity information of recipient 108 in a systemic manner describedherein. The recipient 108 likewise generates a session key from hisprivate key and the public key of the sender so as to decrypt themessage. The private key is computed by the recipient 108 frominformation possessed by the CA 102 and a secrete contribution to theprivate key from the recipient 108 itself.

The general relationship between a private key and the secretcontribution to the private key from its owner is the same for allusers. This is desirable as all users may use the same correspondencefor constructing their own private keys. The recipient 108 thereforemust keep secret its contribution to its own private key so that noteveryone can compute its private key from the general relationship.

The CA does not need to be trusted by any user in that the CA does notpossess any private key of any user. It is sufficient that the CApossesses sufficient information about a user so that the user'sidentity can be authenticated by the CA. Instead of possessing privatekeys of all users, the CA 102 provides the necessary data for therecipient 108 to construct its private key when needed. Likewise, the CAalso provides the necessary data for the sender 106 to construct apublic key of the recipient 108 when needed. In a scheme describedbelow, the CA sends an implicit certificate to the sender for the senderto compute the public key of the recipient and to the recipient tocompute its corresponding private key.

The IBE system 100 may be implemented on any message exchange network.For example, the communication system 100 may be based on postal mail.Each user is identified by a name and a postal address. The delivery ofmail by postal offices establishes the communication channel 112. Thecommunication system 100 may also be an electronic message networksystem. Each user has a network address at which the user can bereached. The communication channel 112 is then a network connection thatlinks the pair of users. For example, in case the communication systemis an e-mail system, the network address is an e-mail address. In casethe communication system is a mobile phone text message system, thenetwork address is a phone number. The connection between the pair ofusers may be an internet-based connection or a public switch exchangebased connection, or any other suitable data communication link.

Although here one user is designated as sender 106, the same descriptionapplies when the pair of users reverse roles, namely when the other usersends electronic messages. It is only for the convenience of descriptionthat one user is designated a sender and the other user is designated arecipient.

Further, in this specification, “sender” is used interchangeably torefer to a user of the system who sends messages, a message softwareprogram employed for sending electronic messages by the user such as ane-mail program, or a general-purpose computer on which the messageprogram for sending electronic messages is executed, unless the contextrequires otherwise. The general-purpose computer typically has a CPU, amemory storage device and a storage device, both accessible to CPU, andinput/output (I/O) devices. The message program may be stored on thestorage device. Likewise, the term “recipient” is used interchangeablyto refer to a user of the system who receives messages, a messagesoftware program employed by the user for receiving electronic messagesor a general-purpose computer on which the message program for receivingelectronic messages is executed, unless the context requires otherwise.

Referring to FIG. 2, there is shown schematically a method of issuingimplicit certificates for users to reconstruct public and private keys.According to this method, certificates are issued in several phases, andin such a way as to achieve many of the benefits of identity basedencryption. The method is a process 200, as summarized in FIG. 3 below,that includes at least three phases. The three phases are registration202, publication 204 and privatization 206.

TABLE 2 Three-Phase Implicit Certification Phase CA Bob AliceRegistration

Publication

Privatization

During registration 202, a recipient Bob 108 registers to acertification authority 102. Bob 108 registers by submitting to the CA102 a registration request R and his registration information. Theregistration information includes his identity-related information I₁,such as his e-mail address. The registration request is derived from asecret contribution such as a secret number, r, from the recipient Bob108. The secret contribution r is known to Bob only, while both Bob 108and the CA 102 keep the registration request R confidential betweenthem. Preferably, the registration request R is derived from acryptographic operation on the secret contribution r so that the CAcannot have any knowledge of r.

The following is an example of computing R from a secret contribution inan elliptic curve cryptosystem. The recipient Bob 108 first at step 210selects a random integer t in the range [1, n−1] as his secretcontribution, where n is the order of the elliptic curve group E with agenerator point G. The registration request R is a product of theinteger r and the generator G of the elliptic curve group E:R=r*G

At step 212, the recipient Bob 108 submits I₁ and R to the certificationauthority 102 over a secure channel. Bob does not reveal r to anyone atall. R is disclosed to the CA, but not anyone else. Bob'sidentity-related information I₁, however, is made generally available,in particular to the sender Alice 106. Bob can do so, for example, bysending it directly to Alice; alternatively Alice 106 can retrieve itfrom a public directory service such as the certification authority 102.

During registration 202, the certification authority 102 does not issuean implicit certificate to Bob, but does obtain security informationfrom Bob and check Bob's credentials according to its policies so thatit is able to issue an implicit certificate for Bob later. As willbecome clear later, the registration request R contributes to Bob'spublic key B and private key b while his secret number r contributesonly to his private key b.

During publication 204, the sender Alice 106 asks the certificationauthority 102 to issue an implicit certificate for Bob (step 220). Thecertification authority 102 computes an implicit certificate (step 222)and issues the implicit certificate to Alice (step 224). Alice 106computes at steps 226 Bob's public key from the implicit certificatereceived.

When requesting for the issuance of an implicit certificate at step 220,Alice 106 selects and includes another piece of information I₂ thatrelates to Bob's identity. For example, Alice can select parameters suchas Bob's birth date, age or nationality.

At step 222, the certification authority 102 establishesidentity-related information I₃ selected from Bob's credentials ascertificate information and computes an implicit certificate asdescribed below. For the set of identity-related information I₁, I₂ andI₃, the certification authority 102 first selects a random integerk_(11, 12, 13) from the range [1, n−1]. The certification authority 102notes this correspondence between the set of identity-relatedinformation I₁, I₂ and I₃ and the random integer k_(11, 12, 13) selectedfor this request from the sender. In establishing a correspondencebetween Bob's identity-related information and the random integer, thecertification authority may choose not to use I₁, not to use I₃ or notto use both. But in general, the identity-related information I₂selected by the sender Alice is always included. For example, thecertification authority may compute a pseudorandom number k from a keyedpseudorandom function with I₂ as the only identity-related informationin the function's input.

The certification authority 102 then computes Bob's reconstructionpublic data P, a hash value h, and a secret integer s according to thefollowing equations:P=R+k _(11,12,13) *Gh=H(P,I ₁ ,I ₂ ,I ₃)s=k _(11,12,13) *h+c mod nwhere H is preferably a secure hash function and c and C are the CA'sprivate and public keys, respectively. The certification authority 102issues an implicit certificate (P; I₂) to Alice 106 at step 224. Itshould be noted that the implicit certificate (P; I₂) is for thisrequest only. It is possible that in another session, either requestedby Alice or some other users, the same set of identity-relatedinformation I₁, I₂ and I₃ is selected but a different random integerk′_(11, 12, 13) is generated, in which case, there will be a differentimplicit certificate (P′; I₂).

At step 226, Alice 106 computes Bob's public key B by firstreconstructing h and then computing B:h=H(P,I ₁ ,I ₂ ,I ₃)B=h*P+CIt is presumed above that the certification authority 102 has alreadypre-distributed its public key C to Alice 106 and Bob 108 in anauthentic manner.

Using Bob's public key B, Alice is able to encrypt her message m to Bob:M=ENC _(B)(m)Where ENC_(B)( ) represents an encryption operation that incorporatesBob's public Key B. The encrypted message M can be sent to Bob in anymanner, for example, over a non-secure communication channel 112 betweenAlice and Bob. In order for Bob to be able to decrypt the encryptedmessage, Alice also sends I₂ and I₃ along with the encrypted message Mto Bob.

At this point, Bob does not have his private key b associated with thenewly issued implicit certificate (P; I₂) nor his public key B. Thus,upon receipt of the encrypted message M from Alice 106, Bob 108 is notable to decrypt the message. Instead, Bob is notified by headerinformation associated with the encrypted message or by some other meansthat the message M has been encrypted with a certain certificate and Bobmust determine the private key with assistance of the certificationauthority 102. Bob determines the private key b during privatization 206and decrypts the message M once the private key is determined.

During privatization 206, Bob 108 requests the certification authority102 supply the necessary information that completes the input to hisprivate key generation algorithm. First, at step 230, Bob sends to thecertification authority 102 the necessary identifying information I₂ andI₃ provided by Alice as well as the identifying information I₁ initiallysubmitted by Bob during registration 202. At step 232, Bob's request forinformation is verified. The necessary information required by Bob isthe reconstruction of public data P and the CA's secret contribution s:the pair (P, s). To discourage any fraudulent attempt by an adversary,the certification authority 102 first verifies that Bob is who he claimsto be, as in registration, and will further check that any extraconditions in the new implicit certificate such as I₂, I₃ received fromAlice, are also met. Once the certification authority is satisfied, itsends Bob the necessary information, (P, s), that Bob needs to completethe calculation of the new private key corresponding to the new implicitcertificate (P; I₂).

At step 234, Bob reconstructs his private key by computing the hashvalue h and then his private key b.h=H(P,I ₁ ,I ₂ ,I ₃)b=r*h+s mod n  (2)At this point, Bob 108 is able to decrypt the encrypted message M fromAlice 106:m=DEC _(b)(M)

It will be appreciated that at no point will the certification authority102 be able to learn Bob's private key b. In particular, thecertification authority does not have nor is able to obtain Bob'sprivate key because Bob's contribution to his private key, r, is alwayskept secret. The certification authority is therefore not able todecrypt or sign for Bob, even after Bob's public key has gone intoactive use. In this respect, the certification authority 102 does notneed to be a trusted authority, in the sense of conventionalidentity-based encryption and signatures. In other words, thecertification authority needs to be trusted to verify the authenticityof Bob's identity, but does not need to be trusted further. Indeed,Bob's private key is not trusted to the certification authority 102.

Optionally as a further step, Bob 108 can verify the authenticity of theresponse (P, s) received from the certification authority 102. Bob 108already knows his contribution I₁ to the implicit certificate and hisconfidential certificate request R. He also has the contribution I₂selected by Alice 106 and I₃ selected by the certification authority102. When Bob receives the response (P,s) to the certificate request R,it is possible for Bob to verify the authenticity of the response bychecking that the following equation holds.B=h*R+s*G=h*P+C=BThis equation should hold because

$\begin{matrix}{B = {{b*G} = {{\left( {{h*r} + s} \right)*G} = {\left( {{h*r} + {h*k} + c} \right)*G}}}} \\{= {{h*\left( {k + r} \right)*G} + {c*G}}} \\{= {{{h*P} + C} = B}}\end{matrix}$Thus Bob knows the logarithm of B=h P+C with respect to the generatorpoint G. Alice can reconstruct B using only the reconstruction publicdata P, the certificate information (I₁, I₂, I₃), and the CA's publickey C.

The certification authority will generally need to store Bob'scertificate request R. When the certification authority generates itscontribution k_(11, 12, 13) to Bob's private key, the certificationauthority may want to do so by a secret deterministic function of (I₁,I₂, I₃). This way, the certification authority will not need to storek_(11, 12, 13) separately for each publication of an implicitcertificate, nor to record any correspondence between the storedk_(11, 12, 13) and the set of identity information (I₁, I₂, I₃), or thecertificate request R.

In practice, a single registration phase may correspond to manydifferent publication and privatization phases. For example, Alice mayrequest an implicit certificate on a per message basis, so that eachprivate key that Bob computes will only be applicable to one message.Alternatively many different users may request different implicitcertificates for sending their messages to Bob, thus requiring separatepublication and privatization phases corresponding to each implicitcertificate issued to each of these different users.

Various embodiments of the invention have now been described in detail.Those skilled in the art will appreciate that numerous modifications,adaptations and variations may be made to the embodiments withoutdeparting from the scope of the invention. Since changes in and oradditions to the above-described best mode may be made without departingfrom the nature, spirit or scope of the invention, the invention is notto be limited to those details but only by the appended claims.

What is claimed is:
 1. In a communication system comprising at least acertification authority computer of a certification authority, a sendercomputer of a sender and a recipient computer of a recipient, thecertification authority computer, the sender computer and the recipientcomputer communicating with each other over communication network, acomputer-implemented method of transmitting messages encrypted withidentity-based public keys derived from information provided by thecertification authority, said certification authority having a pair ofpublic and private keys, said method comprising: the recipient computerproviding a recipient's registration request to the certificationauthority computer over the communication network, said registrationrequest correlating to a first secret value selected by the recipientcomputer; upon receiving a request from the sender computer, saidrequest from the sender computer including an identity information ofthe recipient selected by the sender, the certification authoritycomputer generating a public key reconstruction data from saidregistration request, said identity information selected by the sender,a second secret value selected by the certification authority computerand a certificate information selected by the certification authoritycomputer; the certification authority computer transmitting an implicitcertificate to the sender computer over the communication network, saidimplicit certificate including said public key reconstruction data andsaid certificate information; the sender computer reconstructing apublic key of the recipient from said implicit certificate, saidcertificate information and the certification authority's public key;the sender computer transmitting to the recipient computer over thecommunication network a message encrypted with said public key of therecipient together with an indication that said public key isreconstructed from said implicit certificate, said indication includingsaid sender selected identity information.
 2. The computer-implementedmethod of claim 1, further including the step of providing anotheridentity information of the recipient to the certification authoritycomputer over the communication network, said another identityinformation being selected by the recipient, wherein said public keyreconstruction data incorporates contribution from said another identityinformation.
 3. The computer-implemented method of claim 1, wherein saidcertificate information includes a third identity information of therecipient selected by the certification authority computer.
 4. Thecomputer-implemented method of claim 1, further comprising: therecipient computer transmitting a private key request to thecertification authority computer, said private key request including allidentity information of the recipient used during generating saidimplicit certificate, the certification authority computer providing aprivate key reconstruction data and said public key reconstruction datato the recipient computer, said private key reconstruction data beinggenerated by combining mathematically the certification authority'sprivate key, said all identity information, said public keyreconstruction data, and said second secret value, wherein a private keyof the recipient is generated by the recipient computer from saidimplicit certificate, said certification information, said private keyreconstruction data and said first secret value.
 5. Thecomputer-implemented method of claim 1, further comprising: thecertification authority computer establishing a correspondence betweensaid second secret value and the request from the sender computer. 6.The computer-implemented method of claim 5, wherein said correspondenceis established using a secret deterministic function incorporatingcontributions from all identity information used during generating saidimplicit certificate.
 7. The computer-implemented method of claim 1,wherein an elliptic curve encryption scheme is used, and the public keyreconstruction data is determined mathematically by the certificationauthority computer from the formula R+kG, wherein R is the registrationrequest, k is the second secret value selected by the certificationauthority computer and G is a generator of an elliptic curve group Eselected for the elliptic curve encryption scheme.
 8. Thecomputer-implemented method of claim 7, wherein the private keyreconstruction data is determined mathematically by the certificationauthority computer from the formula kh+c mod n, wherein h is a hashvalue derived from the implicit certificate, c is the certificationauthority's private key and n is the order of the elliptic curve groupE.
 9. The computer-implemented method of claim 8, wherein therecipient's public key is determined mathematically by the sendercomputer from the formula hP+C and the recipient's private key isdetermined mathematically by the recipient computer from the formularh+s mod n, wherein P is the public key reconstruction data, C is thecertification authority's public key, r is the first secret valueselected by the recipient computer and s is the private keyreconstruction data.
 10. A computer-implemented method of providing arecipient's public key to a sender computer of a sender and a privatekey corresponding to said public key to a recipient computer of therecipient, the sender computer, the recipient computer and acertification authority computer of a certification authoritycommunicating with each other over communication network, said methodcomprising the steps of: said recipient computer selecting a secretcontribution to said public key and generating a registration requestinformation from said secret contribution, said recipient computerproviding said registration request information and a first identifyinformation associated with the recipient to the certification authoritycomputer over the communication network; said sender computertransmitting to the certification authority computer over thecommunication network a request for an implicit certificate of thepublic key, said implicit certificate request including said firstidentity information and a second identity information of the recipientselected by the sender computer; the certificate authority computergenerating a public key reconstruction data from the registrationrequest information, the first and second identity information, acertificate information selected by the certification authority computerand a private contribution selected by the certification authoritycomputer; the certification authority computer transmitting saidimplicit certificate to the sender computer over the communicationnetwork, the implicit certificate including said public keyreconstruction data and said certificate information; the sendercomputer computing the public key from the implicit certificate and thecertification authority's public key; upon receiving a private keyrequest from the recipient computer, the certification authoritycomputer providing a privatization information and the implicitcertificate to the recipient computer over the communication network;and the recipient computer computing the private key from the implicitcertificate and the privatization information.
 11. Thecomputer-implemented method of claim 10, wherein the privatizationinformation is generated by combining mathematically the implicitcertificate, the private contribution selected by the certificationauthority computer and the certification authority's private key.
 12. Ina communication system comprising at least a certification authoritycomputer, a sender computer of a sender and a recipient computer of arecipient, the certification authority computer, the sender computer andthe recipient computer communicating with each other over communicationnetwork, a computer-implemented method of providing the recipient'spublic key to the sender computer, said public key being based onidentity information of the recipient, said method comprising: therecipient computer providing the recipient's registration request to thecertification authority computer the communication network, saidregistration request including the recipient's first identityinformation and registration information correlating to a first secretvalue selected by the recipient computer; the recipient computerproviding said first identity information to the sender computer overthe communication network; the sender computer transmitting to thecertification authority computer over the communication network arequest for an implicit certificate, said request including said firstidentity information and a second identity information of the recipientselected by the sender computer; the certification authority computergenerating a public key reconstruction data from said registrationrequest, said first and second identity information, a third identityinformation of the recipient selected by the certification authoritycomputer and a second secret value selected by the certificationauthority computer; the certification authority computer transmitting animplicit certificate to the sender computer over the communicationnetwork, said implicit certificate including said public keyreconstruction data and said third identity information; and the sendercomputer reconstructing a public key of the recipient from said publickey reconstruction data, said first, second and third identityinformation and the certification authority's public key.